4,000 fake PyPI modules found. Supply chain attacks in Python community

A Sophos security report details the finding of at least 4,000 fake libraries in the PyPI repository, all uploaded by a user identified as Remind Supply Chain Risks, These libraries have names that resemble those of legitimate projects, and so far researchers have not detected malicious code beyond a Python command to send data to a third-party server.

The names of most fake packages are more detailed and are unlikely to provide downloads by mistake. All forgeries found have already been eliminated by investigators.

According to the report, the download and installation of packages from PyPI is done by launching the pip install (package name) command or by using the installer of a program that requires importing these additional components. It should be noted that this is a scenario usually used by threat actors to upload malicious updates to the target repository.

As a result, malicious code penetrates the entire infrastructure of organizations that use compromised components. Alex Birsan, a cybersecurity specialist, recently demonstrated that it is possible to deploy such supply chain attacks.

Less knowledged attackers make it easier: they publish a fake package with a misleading name for users to download a malicious copy to an open repository. Experts believe that’s exactly what Remind Supply Chain Risks did, loading five fake packets to PyPI:

  • Asteroids: An imitation of the Asteriod controller for audio recording
  • beauitfulsoup4: A fake fake website analyzer
  • llvm: Imitation of the llvmpy library
  • wwebsite: Copy of the website toolbox

It appears that fake components are designed to collect telemetry data, i.e. information about the number of downloads and installations. They all simply connect to a remote server in Japan, provide the name of their package, and ignore the response, if any.

PyPI has implemented a cleaning process in its creations, although Remind Supply Chain Risks has not given up. On March 3, this individual launched a new fake package, beatufulsoup4, into the public domain. The name of the new project clearly suggests the possibility of an error: “You may want to install beautifulsoup4, not beautfulsoup4.”

To learn more about information security risks, malware variants, vulnerabilities and information technologies, please feel free to access the International Institute of Cyber Security (IICS) website.